the rework dependency is bringing old libraries

bholloway / resolve-url-loader

Webpack loader that resolves relative paths in url() statements based on the original source file

563 stars 71 forks source link

the rework dependency is bringing old libraries #140

Closed stof closed 4 years ago

stof commented 4 years ago

Given that rework is unmaintained (last release was 5 years ago), it brings a bunch of outdated libraries with it (a very old convert-source-map for instance), which increases the size of node_modules and the API surface for potential security issues.

By default, rework is not used anymore for the engine. Maybe it should not be a dependency anymore.

bholloway commented 4 years ago

@stof although I agree with you I am not sure it is practical for you to address every OSS dependency in your lockfile.

Although I would like to deprecate rework engine some people do rely on it to ease their upgrade path. Right now it is not a priority for me to externalise it but I agree that would be ideal.

bholloway commented 4 years ago

I've started the process to deprecate rework for v4 so that it can be removed in v5. See #134.